Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lmsaeb
New Contributor II

Created on ‎11-05-2020 01:21 PM

Weird Traffic

Hi All,

Wondering if you can help me understand why I am this traffic in my reports. The 94.232.46.50 is the source and the 71.181.13.87 is the destination. This traffic was blocked by the Fortigate and I see it tried numerous TCP ports. Below is one line of the log but there are many. The thing is that 71.181.13.87 is not us...I have no idea what that address is? The source was the WAN and the destination was the WAN? Almost as if they were bouncing off our connection to hit another? Anyone have any insight into this? Thanks.

 

16:14:29(-0500) notice deny  94.232.46.50 71.181.13.87 tcp/40155 0 B/0 B  Blocked Connection Attempts Source  Device Name FGT80E4Q17014622  Source Country Bulgaria  Source 94.232.46.50  Source Interface wan1  Source Port 44397  Source Interface Role wan  Destination  Destination Country United States  Destination 71.181.13.87  Destination Interface wan1  Destination Port 40155  Destination Interface Role wan

 

 

 

 

 

2432
0 Kudos
3 REPLIES 3
sw2090
SuperUser
SuperUser

Created on ‎11-05-2020 11:16 PM

looks like some kind of attack maybe.

 

Is it always on the same port? Is there any service reachable via your FGT on that port?

If so it could be bruteforce attack.

Otherwise could be some portscan or something like that. Or just trying to connect to some ports blindly.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1751
0 Kudos
lmsaeb
New Contributor II
In response to sw2090

Created on ‎11-06-2020 09:41 AM

The thing is why would they hit our WAN interface to scan another entity. The destination IP is not ours.

1751
0 Kudos
boneyard
Valued Contributor
In response to lmsaeb

Created on ‎11-06-2020 11:17 PM

is it from your ISP or close at least? they might have setup wrong routing then.

 

have you done a packet capture to see what kind of traffic it really is, might be encapsulated or such and the fortigate reports it wrong.

1751
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.